Update manifests to v1.3.2

VERSION

@@ -1 +1 @@
-1.3.1
+1.3.2

hack/installers/install-codegen-tools.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
 set -eux -o pipefail
 
-"$(dirname $0)/../install.sh" helm-linux jq-linux kustomize-linux protoc-linux swagger-linux
+KUSTOMIZE_VERSION=2.0.3 "$(dirname $0)/../install.sh" helm-linux jq-linux kustomize-linux protoc-linux swagger-linux

hack/installers/install-kustomize-linux.sh

@@ -1,7 +1,6 @@
 #!/bin/bash
 set -eux -o pipefail
 
-# TODO we use v2 for generating manifests, v3 for production - we should always use v3
 KUSTOMIZE_VERSION=${KUSTOMIZE_VERSION:-3.2.1}
 DL=$DOWNLOADS/kustomize-${KUSTOMIZE_VERSION}
 
@@ -11,7 +10,16 @@ DL=$DOWNLOADS/kustomize-${KUSTOMIZE_VERSION}
 # v3.2.0 = https://github.com/kubernetes-sigs/kustomize/releases/download/v3.2.0/kustomize_3.2.0_linux_amd64
 # v3.2.1 = https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.2.1/kustomize_kustomize.v3.2.1_linux_amd64
 # v3.3.0 = https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v3.3.0/kustomize_v3.3.0_linux_amd64.tar.gz
-[ -e $DL ] || curl -sLf --retry 3 -o $DL https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v${KUSTOMIZE_VERSION}/kustomize_kustomize.v${KUSTOMIZE_VERSION}_linux_amd64
+case $KUSTOMIZE_VERSION in
+  2.*)
+    URL=https://github.com/kubernetes-sigs/kustomize/releases/download/v${KUSTOMIZE_VERSION}/kustomize_${KUSTOMIZE_VERSION}_linux_amd64
+    ;;
+  *)
+    URL=https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v${KUSTOMIZE_VERSION}/kustomize_kustomize.v${KUSTOMIZE_VERSION}_linux_amd64
+    ;;
+esac
+
+[ -e $DL ] || curl -sLf --retry 3 -o $DL $URL
 cp $DL $BIN/kustomize
 chmod +x $BIN/kustomize
 kustomize version

manifests/base/kustomization.yaml

@@ -1,18 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
-
-images:
-- name: argoproj/argocd
-  newName: argoproj/argocd
-  newTag: v1.3.1
-- name: argoproj/argocd-ui
-  newName: argoproj/argocd-ui
-  newTag: v1.3.1
-resources:
+bases:
 - ./application-controller
 - ./dex
 - ./repo-server
 - ./server
 - ./config
 - ./redis
+
+images:
+- name: argoproj/argocd
+  newName: argoproj/argocd
+  newTag: v1.3.2
+- name: argoproj/argocd-ui
+  newName: argoproj/argocd-ui
+  newTag: v1.3.2

manifests/ha/base/kustomization.yaml

@@ -7,18 +7,18 @@ patchesStrategicMerge:
 - overlays/argocd-server-deployment.yaml
 - overlays/argocd-application-controller-deployment.yaml
 
-
-images:
-- name: argoproj/argocd
-  newName: argoproj/argocd
-  newTag: v1.3.1
-- name: argoproj/argocd-ui
-  newName: argoproj/argocd-ui
-  newTag: v1.3.1
-resources:
+bases:
 - ../../base/application-controller
 - ../../base/dex
 - ../../base/repo-server
 - ../../base/server
 - ../../base/config
 - ./redis-ha
+
+images:
+- name: argoproj/argocd
+  newName: argoproj/argocd
+  newTag: v1.3.2
+- name: argoproj/argocd-ui
+  newName: argoproj/argocd-ui
+  newTag: v1.3.2

manifests/ha/install.yaml

@@ -2789,30 +2789,6 @@ spec:
 ---
 apiVersion: v1
 kind: Service
-metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/name: argocd-redis-ha
-    app.kubernetes.io/part-of: argocd
-  name: argocd-redis-ha
-spec:
-  clusterIP: None
-  ports:
-  - name: server
-    port: 6379
-    protocol: TCP
-    targetPort: redis
-  - name: sentinel
-    port: 26379
-    protocol: TCP
-    targetPort: sentinel
-  selector:
-    app.kubernetes.io/name: argocd-redis-ha
-  type: ClusterIP
----
-apiVersion: v1
-kind: Service
 metadata:
   annotations:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
@@ -2891,6 +2867,30 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis-ha
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis-ha
+spec:
+  clusterIP: None
+  ports:
+  - name: server
+    port: 6379
+    protocol: TCP
+    targetPort: redis
+  - name: sentinel
+    port: 26379
+    protocol: TCP
+    targetPort: sentinel
+  selector:
+    app.kubernetes.io/name: argocd-redis-ha
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
 metadata:
   labels:
     app.kubernetes.io/component: repo-server
@@ -2912,6 +2912,23 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server-metrics
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server-metrics
+spec:
+  ports:
+  - name: metrics
+    port: 8083
+    protocol: TCP
+    targetPort: 8083
+  selector:
+    app.kubernetes.io/name: argocd-server
+---
+apiVersion: v1
+kind: Service
 metadata:
   labels:
     app.kubernetes.io/component: server
@@ -2931,23 +2948,6 @@ spec:
   selector:
     app.kubernetes.io/name: argocd-server
 ---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/component: server
-    app.kubernetes.io/name: argocd-server-metrics
-    app.kubernetes.io/part-of: argocd
-  name: argocd-server-metrics
-spec:
-  ports:
-  - name: metrics
-    port: 8083
-    protocol: TCP
-    targetPort: 8083
-  selector:
-    app.kubernetes.io/name: argocd-server
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -2982,7 +2982,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -3036,7 +3036,7 @@ spec:
         - cp
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -3092,7 +3092,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           initialDelaySeconds: 5
@@ -3166,7 +3166,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/ha/namespace-install.yaml

@@ -2704,30 +2704,6 @@ spec:
 ---
 apiVersion: v1
 kind: Service
-metadata:
-  annotations: null
-  labels:
-    app.kubernetes.io/component: redis
-    app.kubernetes.io/name: argocd-redis-ha
-    app.kubernetes.io/part-of: argocd
-  name: argocd-redis-ha
-spec:
-  clusterIP: None
-  ports:
-  - name: server
-    port: 6379
-    protocol: TCP
-    targetPort: redis
-  - name: sentinel
-    port: 26379
-    protocol: TCP
-    targetPort: sentinel
-  selector:
-    app.kubernetes.io/name: argocd-redis-ha
-  type: ClusterIP
----
-apiVersion: v1
-kind: Service
 metadata:
   annotations:
     service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
@@ -2806,6 +2782,30 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  annotations: null
+  labels:
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/name: argocd-redis-ha
+    app.kubernetes.io/part-of: argocd
+  name: argocd-redis-ha
+spec:
+  clusterIP: None
+  ports:
+  - name: server
+    port: 6379
+    protocol: TCP
+    targetPort: redis
+  - name: sentinel
+    port: 26379
+    protocol: TCP
+    targetPort: sentinel
+  selector:
+    app.kubernetes.io/name: argocd-redis-ha
+  type: ClusterIP
+---
+apiVersion: v1
+kind: Service
 metadata:
   labels:
     app.kubernetes.io/component: repo-server
@@ -2827,6 +2827,23 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server-metrics
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server-metrics
+spec:
+  ports:
+  - name: metrics
+    port: 8083
+    protocol: TCP
+    targetPort: 8083
+  selector:
+    app.kubernetes.io/name: argocd-server
+---
+apiVersion: v1
+kind: Service
 metadata:
   labels:
     app.kubernetes.io/component: server
@@ -2846,23 +2863,6 @@ spec:
   selector:
     app.kubernetes.io/name: argocd-server
 ---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/component: server
-    app.kubernetes.io/name: argocd-server-metrics
-    app.kubernetes.io/part-of: argocd
-  name: argocd-server-metrics
-spec:
-  ports:
-  - name: metrics
-    port: 8083
-    protocol: TCP
-    targetPort: 8083
-  selector:
-    app.kubernetes.io/name: argocd-server
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -2897,7 +2897,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2951,7 +2951,7 @@ spec:
         - cp
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -3007,7 +3007,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           initialDelaySeconds: 5
@@ -3081,7 +3081,7 @@ spec:
         - argocd-redis-ha-announce-2:26379
         - --sentinelmaster
         - argocd
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/install.yaml

@@ -2684,6 +2684,23 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server-metrics
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server-metrics
+spec:
+  ports:
+  - name: metrics
+    port: 8083
+    protocol: TCP
+    targetPort: 8083
+  selector:
+    app.kubernetes.io/name: argocd-server
+---
+apiVersion: v1
+kind: Service
 metadata:
   labels:
     app.kubernetes.io/component: server
@@ -2703,23 +2720,6 @@ spec:
   selector:
     app.kubernetes.io/name: argocd-server
 ---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/component: server
-    app.kubernetes.io/name: argocd-server-metrics
-    app.kubernetes.io/part-of: argocd
-  name: argocd-server-metrics
-spec:
-  ports:
-  - name: metrics
-    port: 8083
-    protocol: TCP
-    targetPort: 8083
-  selector:
-    app.kubernetes.io/name: argocd-server
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -2746,7 +2746,7 @@ spec:
         - "20"
         - --operation-processors
         - "10"
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2800,7 +2800,7 @@ spec:
         - cp
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -2864,7 +2864,7 @@ spec:
         - argocd-repo-server
         - --redis
         - argocd-redis:6379
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           initialDelaySeconds: 5
@@ -2915,7 +2915,7 @@ spec:
         - argocd-server
         - --staticassets
         - /shared/app
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

manifests/namespace-install.yaml

@@ -2599,6 +2599,23 @@ spec:
 ---
 apiVersion: v1
 kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: server
+    app.kubernetes.io/name: argocd-server-metrics
+    app.kubernetes.io/part-of: argocd
+  name: argocd-server-metrics
+spec:
+  ports:
+  - name: metrics
+    port: 8083
+    protocol: TCP
+    targetPort: 8083
+  selector:
+    app.kubernetes.io/name: argocd-server
+---
+apiVersion: v1
+kind: Service
 metadata:
   labels:
     app.kubernetes.io/component: server
@@ -2618,23 +2635,6 @@ spec:
   selector:
     app.kubernetes.io/name: argocd-server
 ---
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    app.kubernetes.io/component: server
-    app.kubernetes.io/name: argocd-server-metrics
-    app.kubernetes.io/part-of: argocd
-  name: argocd-server-metrics
-spec:
-  ports:
-  - name: metrics
-    port: 8083
-    protocol: TCP
-    targetPort: 8083
-  selector:
-    app.kubernetes.io/name: argocd-server
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -2661,7 +2661,7 @@ spec:
         - "20"
         - --operation-processors
         - "10"
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:
@@ -2715,7 +2715,7 @@ spec:
         - cp
         - /usr/local/bin/argocd-util
         - /shared
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         name: copyutil
         volumeMounts:
@@ -2779,7 +2779,7 @@ spec:
         - argocd-repo-server
         - --redis
         - argocd-redis:6379
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           initialDelaySeconds: 5
@@ -2830,7 +2830,7 @@ spec:
         - argocd-server
         - --staticassets
         - /shared/app
-        image: argoproj/argocd:v1.3.1
+        image: argoproj/argocd:v1.3.2
         imagePullPolicy: Always
         livenessProbe:
           httpGet:

reposerver/repository/repository.go

@@ -227,7 +227,6 @@ func helmTemplate(appPath string, q *apiclient.ManifestRequest) ([]*unstructured
 		SetString:   map[string]string{},
 	}
 
-	baseDirectoryPath := security.SubtractRelativeFromAbsolutePath(appPath, q.ApplicationSource.Path)
 	appHelm := q.ApplicationSource.Helm
 	if appHelm != nil {
 		if appHelm.ReleaseName != "" {
@@ -237,6 +236,10 @@ func helmTemplate(appPath string, q *apiclient.ManifestRequest) ([]*unstructured
 		for _, val := range appHelm.ValueFiles {
 			// If val is not a URL, run it against the directory enforcer. If it is a URL, use it without checking
 			if _, err := url.ParseRequestURI(val); err != nil {
+				baseDirectoryPath, err := security.SubtractRelativeFromAbsolutePath(appPath, q.ApplicationSource.Path)
+				if err != nil {
+					return nil, err
+				}
 				absBaseDir, err := filepath.Abs(baseDirectoryPath)
 				if err != nil {
 					return nil, err

util/security/path_traversal.go

@@ -17,20 +17,27 @@ func EnforceToCurrentRoot(currentRoot, requestedPath string) (string, error) {
 	return requestedDir + string(filepath.Separator) + requestedFile, nil
 }
 
-func SubtractRelativeFromAbsolutePath(abs, rel string) string {
+func SubtractRelativeFromAbsolutePath(abs, rel string) (string, error) {
 	if len(rel) == 0 {
-		return abs
+		return abs, nil
 	}
 	if rel[0] == '.' {
-		rel = rel[1:]
+		return SubtractRelativeFromAbsolutePath(abs, rel[1:])
 	}
 	if rel[0] != '/' {
-		rel = "/" + rel
+		return SubtractRelativeFromAbsolutePath(abs, "/"+rel)
 	}
 	if rel[len(rel)-1] == '/' {
-		rel = rel[:len(rel)-1]
+		return SubtractRelativeFromAbsolutePath(abs, rel[:len(rel)-1])
 	}
-	return abs[:strings.LastIndex(abs, rel)]
+	rel = filepath.Clean(rel)
+	lastIndex := strings.LastIndex(abs, rel)
+	if lastIndex < 0 {
+		// This should be unreachable, because by this point the App Path will have already been validated by Path in
+		// util/app/path/path.go
+		return "", fmt.Errorf("app path is not under repo path (unreachable and most likely a bug)")
+	}
+	return abs[:lastIndex], nil
 }
 
 func isRequestedDirUnderCurrentRoot(currentRoot, requestedDir string) bool {

util/security/path_traversal_test.go

@@ -27,15 +27,29 @@ func TestEnforceToCurrentRoot(t *testing.T) {
 
 func TestSubtractRelativeFromAbsolutePath(t *testing.T) {
 	for _, test := range []string{"env", "/env", "env/", "/env/", "./env"} {
-		subtracted := SubtractRelativeFromAbsolutePath("/argocd-example-apps/helm-guestbook/env/guestbook/env", test)
+		subtracted, err := SubtractRelativeFromAbsolutePath("/argocd-example-apps/helm-guestbook/env/guestbook/env", test)
+		assert.NoError(t, err)
 		assert.Equal(t, "/argocd-example-apps/helm-guestbook/env/guestbook", subtracted)
 	}
 	for _, test := range []string{"guestbook/env", "/guestbook/env", "guestbook/env/", "/guestbook/env/", "./guestbook/env"} {
-		subtracted := SubtractRelativeFromAbsolutePath("/argocd-example-apps/helm-guestbook/env/guestbook/env", test)
+		subtracted, err := SubtractRelativeFromAbsolutePath("/argocd-example-apps/helm-guestbook/env/guestbook/env", test)
+		assert.NoError(t, err)
 		assert.Equal(t, "/argocd-example-apps/helm-guestbook/env", subtracted)
 	}
-	for _, test := range []string{"", "/", "./"} {
-		subtracted := SubtractRelativeFromAbsolutePath("/argocd-example-apps/helm-guestbook/env/guestbook/env", test)
+	for _, test := range []string{"", ".", "/", "./"} {
+		subtracted, err := SubtractRelativeFromAbsolutePath("/argocd-example-apps/helm-guestbook/env/guestbook/env", test)
+		assert.NoError(t, err)
 		assert.Equal(t, "/argocd-example-apps/helm-guestbook/env/guestbook/env", subtracted)
 	}
+	// "Dirty" strings
+	for _, test := range []string{"guestbook/foo/../env", "/guestbook//env", "../guestbook/env/", "/../guestbook/env/", "./guestbook/env///"} {
+		subtracted, err := SubtractRelativeFromAbsolutePath("/argocd-example-apps/helm-guestbook/env/guestbook/env", test)
+		assert.NoError(t, err)
+		assert.Equal(t, "/argocd-example-apps/helm-guestbook/env", subtracted)
+	}
+	// Invalid strings
+	for _, test := range []string{"/not/in/path", "../not/in/path", "not/in/path"} {
+		_, err := SubtractRelativeFromAbsolutePath("/argocd-example-apps/helm-guestbook/env/guestbook/env", test)
+		assert.Error(t, err)
+	}
 }